European Data Protection and Data Transfer

European Law and the GDPR

As of May 25, 2018, a new data privacy law known as the EU General Data Protection Regulation (or the “GDPR”) will be in effect, through the EEA countries.  The GDPR (and other European privacy laws) make a distinction between organisations that process Personal Data for their own purposes (known as “data controllers”) and organisations that process Personal Data on behalf of other organisations (known as “data processors”).  The GDPR requires companies that are “Data Controllers” (which includes some of our clients) provide users with certain information about the processing of their “Personal Data.” “Personal Data” is a term used in Europe that means, generally, data that identifies or can identify a particular unique user or device – for instance, names, addresses, cookie identifiers, mobile device identifiers, precise location data and biometric data.   

We sometimes process Personal Data relating to data subjects (i.e., persons) on behalf of these clients, and we therefore often enter into agreements to assist them in complying with their own obligations under the GDPR.  However, if you have a question or complaint about how your Personal Data is handled, we encourage you to direct your inquiry to the relevant data controller, since data controllers are the ones with primary responsibility for your Personal Data.

On the other hand, we are data controllers of Personal Data that we collect from our own website, and from our own customers.   As to that data, please note the following :

  1. We rely on performance of our contracts, and our legitimate interests, as a legal basis for our processing of the data that we control.  For instance, when we process and retain our customers’ Personal Data, or send information to companies that we believe are interested in our services, we rely on these legal bases;
  2. We retain the data that we control for as long as is necessary or appropriate to fulfill the purpose for which the data was collected;
  3. You may request access to, or deletion or correction of, the Personal Data that we hold about you by contacting us through the contact information listed in Section 13.  If you request that we delete your Personal Data, we will remove you from our marketing lists, but will continue to maintain certain Personal Data where we have an important legal, accounting, billing or auditing reason to do so.